Customer Callback Example API
Overview
Due to the long-running nature of the Coverage Discovery process, all concluded task responses will be communicated asynchronously via the Customer's supplied callback url that must be whitelisted by Optum. Therefore,* if enrolled in Coverage Discovery*, the customer must build a Callback API with OAuth2 authentication in order to receive task responses.
Pre-Requisites
- From Onboarding:
- Enrollment in Coverage Discovery
- Whitelisted OAuth2 token endpoint
- Whitelisted Callback API endpoint
- From Customer:
- API Credentials (
client_id,client_secret), generated to authorize with the Whitelisted OAuth2 token endpoint
- API Credentials (
Postman Collection Example
The below Customer Callback Example collection serves as a reference callback API to which Coverage Discovery will send asynchronous responses. Once your Callback API has been built, this collection may also serve to test your API's functionality and ensure that mock requests have successfully been accepted.
Setup
- Download Postman (if applicable) and open the app.
- Go to your appropriate Workspace and navigate to the
Collectionstab. ClickImport.Click for Postman's instructions on Importing.
- Copy the
collection.jsonbelow and paste into thePaste raw textbox under theRaw Textoption.
{
"info": {
"_postman_id": "e8594903-743b-40e6-9735-0a050bf0b827",
"name": "Customer Callback Example API",
"description": "## 🧾 **Introduction**\n\nThe **Coverage Discovery** process involves long-running tasks whose results are delivered asynchronously. To receive these results, customers must implement a **Callback API** that supports **OAuth2 authentication**. This Postman collection provides a working example of how to simulate and test such an API.\n\nOnce your Callback API is implemented, this collection can be used to:\n\n* Simulate task conclusion events (success/failure)\n* Validate that your API correctly receives and handles these events\n \n\n* * *\n\n## ✅ **Pre-Requisites**\n\nBefore using this collection, ensure the following are in place:\n\n1. **Onboarding with Optum**:\n * You must be enrolled in the Coverage Discovery program.\n2. **Whitelisted Endpoints**:\n * Your **OAuth2 token endpoint** must be whitelisted by Optum.\n * Your **Callback API endpoint** must also be whitelisted.\n3. **API Credentials**:\n * You need a `client_id` and `client_secret` for OAuth2 authentication.\n * These credentials are generated by you and used to obtain access tokens.\n\n* * *\n\n## 🛠️ **Steps**\n\n### 1\\. **Setup**\n\n#### a. Import the Collection\n\n* Follow Postman's instructions to import the provided collection into your workspace.\n \n\n#### b. Import the Environment\n\n* Import the **\"Customer Callback API ENV Example\"** environment file.\n \n\n#### c. Configure Environment Variables\n\n* Go to the **Environments** tab in Postman.\n* Select **\"Customer Callback API ENV Example\"**.\n* Fill in the following variables with your actual values:\n \n\n| Variable | Description |\n| --- | --- |\n| `whitelisted_OAuth2_url` | Your OAuth2 token endpoint |\n| `whitelisted_callback_url` | Your Callback API endpoint |\n| `client_id` | Your OAuth2 client ID |\n| `client_secret` | Your OAuth2 client secret |\n\n* * *\n\n## 🚀 **Endpoint Test Scenarios**\n\n### 🔐 **Auth Endpoint**\n\n#### ✅ Success: Generate Bearer Token\n\n* **Request**: Valid `client_id` and `client_secret`\n* **Expected Response**: `200 OK` with access token\n* **Purpose**: Confirms that the token generation process is working as expected.\n \n\n#### ❌ Failure: Invalid Client Credentials\n\n* **Request**: Invalid `client_id` or `client_secret`\n* **Expected Response**: `401 Unauthorized`\n* **Purpose**: Ensures your system handles authentication failures securely.\n \n\n* * *\n\n### 🔁 **Callback Endpoint**\n\n#### ✅ Success: Successful Task Concluded\n\n* **Request**: Valid bearer token and success payload\n* **Expected Response**: `204 No Content`\n* **Purpose**: Simulates a successful coverage discovery result.\n \n\n#### ✅ Success: Failure Task Concluded\n\n* **Request**: Valid bearer token and failure payload\n* **Expected Response**: `204 No Content`\n* **Purpose**: Simulates a failed coverage discovery result.\n \n\n#### ❌ Failure: Invalid or Missing Token\n\n* **Request**: No bearer token or an invalid one\n* **Expected Response**: `401 Unauthorized` or `403 Forbidden`\n* **Purpose**: Validates that your API enforces authentication for callback requests.\n \n\n* * *\n\n## 🧪 **Validation Tips**\n\n* Monitor your Callback API logs to confirm receipt of the mock requests.\n* Ensure your API returns appropriate HTTP status codes:\n * `200 OK` for successful token generation\n * `204 No Content` for valid callback responses\n * `401 Unauthorized` for invalid credentials or missing tokens\n * `403 Forbidden` if the token is present but lacks sufficient permissions\n\n### 📥 **Request Payload Validation**\n\nTo ensure your Callback API processes incoming requests correctly, it's important to validate the structure and data types of the request body.\n\nRefer to the Coverage Discovery model [here](https://developer.optum.com/eligibilityandclaims/reference/getdiscoverybyid-1) — specifically the **200 response body** — for a detailed schema of the expected payload. This includes field names, data types, and example values.\n\nUse this model as a reference to implement your own validation logic according to your system’s requirements. This will help ensure your API handles incoming data reliably and consistently.",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "Success: Auth Endpoint - Generate Bearer Token",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.environment.set(\"bearer_token\", pm.response.json().access_token);\r",
"\r",
"// expected status to return is http status code 200.\r",
"pm.test(\"Status code is 200\", function () {\r",
" if (pm.response.code === 200) {\r",
" pm.expect(pm.response.code).to.eql(200);\r",
" } else {\r",
" console.log(\"Unexpected status code:\", pm.response.code);\r",
" pm.test(\"Unexpected status code\", function () {\r",
" pm.expect(pm.response.code).to.eql(200); // This will fail the test\r",
" });\r",
" }\r",
"});\r",
""
],
"type": "text/javascript"
}
}
],
"request": {
"auth": {
"type": "noauth"
},
"method": "POST",
"header": [],
"body": {
"mode": "raw",
"raw": "{\r\n \"client_id\":\"{{client_id}}\",\r\n \"client_secret\":\"{{client_secret}}\",\r\n \"grant_type\":\"client_credentials\"\r\n}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{whitelisted_OAuth2_tokenurl}}",
"host": [
"{{whitelisted_OAuth2_tokenurl}}"
]
}
},
"response": []
},
{
"name": "Failure: Auth Endpoint - Invalid Client_ID or Client_Secret",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.environment.set(\"bearer_token\", pm.response.json().access_token);\r",
"\r",
"pm.test(\"Invalid Client or Secret\", function () {\r",
" if (pm.response.code >= 401) {\r",
" pm.expect(pm.response.code).to.be.gte(401);\r",
" } else {\r",
" console.log(\"Unexpected status code:\", pm.response.code);\r",
" pm.test(\"Unexpected status code\", function () {\r",
" pm.expect(pm.response.code).to.be.gte(401); // This will fail the test\r",
" });\r",
" }\r",
"});\r",
""
],
"type": "text/javascript"
}
}
],
"request": {
"auth": {
"type": "noauth"
},
"method": "POST",
"header": [],
"body": {
"mode": "raw",
"raw": "{\r\n \"client_id\":\"{{client_id}}_invalid\",\r\n \"client_secret\":\"{{client_secret}}_invalid\",\r\n \"grant_type\":\"client_credentials\"\r\n}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{whitelisted_OAuth2_tokenurl}}",
"host": [
"{{whitelisted_OAuth2_tokenurl}}"
]
}
},
"response": []
},
{
"name": "Success: Callback - Successful Task Concluded",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
""
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"// expected status to return to Enhanced Eligibility is http status code 204.\r",
"pm.test(\"Status code is 204\", function () {\r",
" if (pm.response.code === 204) {\r",
" pm.expect(pm.response.code).to.eql(204);\r",
" } else {\r",
" console.log(\"Unexpected status code:\", pm.response.code);\r",
" pm.test(\"Unexpected status code\", function () {\r",
" pm.expect(pm.response.code).to.eql(204); // This will fail the test\r",
" });\r",
" }\r",
"});\r",
""
],
"type": "text/javascript"
}
}
],
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{bearer_token}}",
"type": "string"
}
]
},
"method": "POST",
"header": [
{
"key": "x-optum-correlation-id",
"value": "{{customer_correlation_id}}",
"type": "text",
"description": "(Optional) A unique identifier value that is attached to the response that allow reference to the original request. Differs from x-optum-trace-id as the correlation-id is stored within the datastore for future queryability."
},
{
"key": "x-optum-tenant-id",
"value": "{{customer_tenant_id}}",
"type": "text",
"description": "The unique ID of the customer's tenant. Used to enforce data tenancy. This value is controlled by the Enhanced Eligibility Team."
}
],
"body": {
"mode": "raw",
"raw": "{\n \"id\": \"1e4c472f-a242-47b1-bbcf-89217dcdd473\",\n \"status\": \"success\",\n \"name\": \"search options discover task\",\n \"type\": \"serial\",\n \"startDateTime\": \"2025-04-21T16:14:38.185249239Z\",\n \"endDateTime\": \"2025-04-21T16:14:43.250411638Z\",\n \"discoveryPaths\": {\n \"successful\": [\n {\n \"id\": \"4f683141-743a-4e37-afaa-ddd62570a87e\",\n \"name\": \"Search - GACAID 66c338b1-fcd5-4fda-ba37-f88b6f7869c6\",\n \"timestamp\": \"2025-04-21T16:14:38.199277641Z\",\n \"transaction\": {\n \"id\": \"c3c09bfc-32dc-4317-8a4b-e5af1660250b\",\n \"status\": \"eligible\",\n \"chcPayerId\": \"GACAID\",\n \"x12-271\": \"string\"\n }\n }\n ],\n \"unsuccessful\": [\n {\n \"id\": \"cf3a0aba-9579-47ee-bec9-88860968cb24\",\n \"name\": \"Search - GACAID 6ddad395-c7f4-45e2-b604-0a71b3c497ac\",\n \"timestamp\": \"2025-04-21T16:14:38.199291842Z\",\n \"transaction\": {\n \"id\": \"d356b7c9-0a7a-4f75-89a6-bb16054b8d3e\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"GACAID\",\n \"x12-271\": \"string\"\n }\n }\n ],\n \"pending\": [],\n \"skipped\": [\n {\n \"name\": \"HMO\",\n \"timestamp\": \"2025-04-21T16:14:43.245384355Z\",\n \"reason\": \"request does not meet path conditions\"\n }\n ]\n },\n \"callbackUrl\": \"https://whitelistedcallbackurl.com\"\n}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{whitelisted_callback_url}}",
"host": [
"{{whitelisted_callback_url}}"
]
}
},
"response": []
},
{
"name": "Success: Callback - Failure Task Concluded",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
""
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"// expected status to return to Enhanced Eligibility is http status code 204.\r",
"pm.test(\"Status code is 204\", function () {\r",
" if (pm.response.code === 204) {\r",
" pm.expect(pm.response.code).to.eql(204);\r",
" } else {\r",
" console.log(\"Unexpected status code:\", pm.response.code);\r",
" pm.test(\"Unexpected status code\", function () {\r",
" pm.expect(pm.response.code).to.eql(204); // This will fail the test\r",
" });\r",
" }\r",
"});\r",
""
],
"type": "text/javascript"
}
}
],
"request": {
"method": "POST",
"header": [
{
"key": "x-optum-correlation-id",
"value": "{{customer_correlation_id}}",
"type": "text",
"description": "(Optional) A unique identifier value that is attached to the response that allow reference to the original request. Differs from x-optum-trace-id as the correlation-id is stored within the datastore for future queryability."
},
{
"key": "x-optum-tenant-id",
"value": "{{customer_tenant_id}}",
"type": "text",
"description": "The unique ID of the customer's tenant. Used to enforce data tenancy. This value is controlled by the Enhanced Eligibility Team."
}
],
"body": {
"mode": "raw",
"raw": "{\n \"id\": \"49816c24-81f0-4bf3-9a02-addabde96a2e\",\n \"status\": \"failure\",\n \"name\": \"Commercial + HMO\",\n \"type\": \"serial\",\n \"startDateTime\": \"2025-05-02T13:33:19Z\",\n \"endDateTime\": \"2025-05-03T03:47:35Z\",\n \"discoveryPaths\": {\n \"successful\": [],\n \"unsuccessful\": [\n {\n \"id\": \"14337574-44b3-4ed9-8c00-2bafbf80cbcb\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"d812aefe-d52c-49f7-9912-d2ab24d6b331\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"87726\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"bbf02eb6-ad30-4651-8618-e74ed0807eeb\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"217f1f42-584f-4ae5-b9c5-4b6238168751\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"61101\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"1ef8bba5-4b15-4c7a-a2d3-19ea553f1ef9\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"af156e4c-7cdb-4d20-97a3-4f26d1ba2275\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"60054\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"53ffe72e-0b62-4ea9-bc2b-2cacd69c9c30\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"4f9bbc02-7707-4f7f-961e-6f220db891b0\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"CIGNA\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"2d765b48-6bc8-4f86-8509-d23b4481e285\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"3801a2c2-7ec4-4fc8-9876-350d9f08b6eb\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"27514\",\n \"x12-271\": \"string\"\n }\n }\n ],\n \"pending\": [],\n \"skipped\": []\n },\n \"callbackUrl\": \"https://whitelistedcallbackurl.com\"\n}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{whitelisted_callback_url}}",
"host": [
"{{whitelisted_callback_url}}"
]
}
},
"response": []
},
{
"name": "Failure: Callback - Invalid Token",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
""
],
"type": "text/javascript"
}
},
{
"listen": "test",
"script": {
"exec": [
"pm.environment.set(\"bearer_token\", pm.response.json().access_token);\r",
"\r",
"pm.test(\"Invalid or Expired Token\", function () {\r",
" if (pm.response.code === 403) {\r",
" pm.expect(pm.response.code).to.be.eql(403);\r",
" } else {\r",
" console.log(\"Unexpected status code:\", pm.response.code);\r",
" pm.test(\"Unexpected status code\", function () {\r",
" pm.expect(pm.response.code).to.be.eql(403); // This will fail the test\r",
" });\r",
" }\r",
"});\r",
""
],
"type": "text/javascript"
}
}
],
"request": {
"auth": {
"type": "noauth"
},
"method": "POST",
"header": [
{
"key": "x-optum-correlation-id",
"value": "{{customer_correlation_id}}",
"type": "text",
"description": "(Optional) A unique identifier value that is attached to the response that allow reference to the original request. Differs from x-optum-trace-id as the correlation-id is stored within the datastore for future queryability."
},
{
"key": "x-optum-tenant-id",
"value": "{{customer_tenant_id}}",
"type": "text",
"description": "The unique ID of the customer's tenant. Used to enforce data tenancy. This value is controlled by the Enhanced Eligibility Team."
}
],
"body": {
"mode": "raw",
"raw": "{\n \"id\": \"49816c24-81f0-4bf3-9a02-addabde96a2e\",\n \"status\": \"failure\",\n \"name\": \"Commercial + HMO\",\n \"type\": \"serial\",\n \"startDateTime\": \"2025-05-02T13:33:19Z\",\n \"endDateTime\": \"2025-05-03T03:47:35Z\",\n \"discoveryPaths\": {\n \"successful\": [],\n \"unsuccessful\": [\n {\n \"id\": \"14337574-44b3-4ed9-8c00-2bafbf80cbcb\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"d812aefe-d52c-49f7-9912-d2ab24d6b331\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"87726\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"bbf02eb6-ad30-4651-8618-e74ed0807eeb\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"217f1f42-584f-4ae5-b9c5-4b6238168751\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"61101\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"1ef8bba5-4b15-4c7a-a2d3-19ea553f1ef9\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"af156e4c-7cdb-4d20-97a3-4f26d1ba2275\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"60054\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"53ffe72e-0b62-4ea9-bc2b-2cacd69c9c30\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"4f9bbc02-7707-4f7f-961e-6f220db891b0\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"CIGNA\",\n \"x12-271\": \"string\"\n }\n },\n {\n \"id\": \"2d765b48-6bc8-4f86-8509-d23b4481e285\",\n \"name\": \"Commercial\",\n \"timestamp\": \"2025-05-02T13:33:19Z\",\n \"transaction\": {\n \"id\": \"3801a2c2-7ec4-4fc8-9876-350d9f08b6eb\",\n \"status\": \"patient_unknown\",\n \"chcPayerId\": \"27514\",\n \"x12-271\": \"string\"\n }\n }\n ],\n \"pending\": [],\n \"skipped\": []\n },\n \"callbackUrl\": \"https://whitelistedcallbackurl.com\"\n}",
"options": {
"raw": {
"language": "json"
}
}
},
"url": {
"raw": "{{whitelisted_callback_url}}",
"host": [
"{{whitelisted_callback_url}}"
]
}
},
"response": []
}
],
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{bearer_token}}",
"type": "string"
}
]
},
"event": [
{
"listen": "prerequest",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
},
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
}
]
}
- Click the
Continuebutton.
Step 4
- Then click the
Importbutton.
Step 5
- Next, navigate to the
Environmentstab in Postman. ClickImport. - Copy the
environment.jsonbelow and paste into thePaste raw textbox under theRaw Textoption.
{
"id": "3771ced9-e507-4419-8584-2ac4832ada87",
"name": "Customer Callback API ENV Example",
"values": [
{
"key": "whitelisted_OAuth2_url",
"value": "CHANGE TO CUSTOMER WHITELISTED TOKEN URL",
"type": "default",
"enabled": true
},
{
"key": "whitelisted_callback_url",
"value": "CHANGE TO CUSTOMER WHITELISTED CALLBACK URL",
"type": "default",
"enabled": true
},
{
"key": "client_id",
"value": "CHANGE TO CLIENT_ID TO AUTHETNICATE WITH OAuth2 URL",
"type": "default",
"enabled": true
},
{
"key": "client_secret",
"value": "CHANGE TO CLIENT_SECRET VALUE TO AUTHENTICATE WITH OAuth2 URL",
"type": "default",
"enabled": true
}
],
"_postman_variable_scope": "environment",
"_postman_exported_at": "2024-07-26T19:07:22.762Z",
"_postman_exported_using": "Postman/9.14.14"
}
- Click the
Continuebutton.
Step 8
- Then, click the
Importbutton.
Step 9
- Navigate to the newly imported "Customer Callback API ENV Example". Enter your own values for the following variables in
CURRENT_VALUEand save the changes:whitelisted_OAuth2_urlwhitelisted_callback_urlclient_idclient_secret
You are now set up to execute Endpoint Test Scenarios !
🚀 Endpoint Test Scenarios
🔐 Auth Endpoint
✅ Success: Auth Endpoint - Generate Bearer Token
- Request: Valid
client_idandclient_secret - Expected Response:
200 OKwith access token - Purpose: Confirms that the token generation process is working as expected.
❌ Failure: Auth Endpoint - Invalid Client_ID or Client_Secret
- Request: Invalid
client_idorclient_secret - Expected Response:
401 Unauthorized - Purpose: Ensures your system handles authentication failures securely.
🔁 Callback Endpoint
✅ Success: Callback - Successful Task Concluded
- Request: Valid bearer token and success payload
- Expected Response:
204 No Content - Purpose: Simulates a successful coverage discovery result.
✅ Success: Callback - Failure Task Concluded
- Request: Valid bearer token and failure payload
- Expected Response:
204 No Content - Purpose: Simulates a failed coverage discovery result.
❌ Failure: Callback - Invalid Token
- Request: No bearer token or an invalid one
- Expected Response:
403 Forbidden - Purpose: Validates that your API enforces authentication for callback requests.
🧪 Validation Tips
- Monitor your Callback API logs to confirm receipt of the mock requests.
- Ensure your API returns appropriate HTTP status codes:
200 OKfor successful token generation204 No Contentfor valid callback responses401 Unauthorizedfor invalid credentials or missing tokens403 Forbiddenif the token is present but lacks sufficient permissions
📥 Request Payload Validation
To ensure your Callback API processes incoming requests correctly, it's important to validate the structure and data types of the request body.
Refer to the Coverage Discovery model here — specifically the 200 response body — for a detailed schema of the expected payload. This includes field names, data types, and example values.
Use this model as a reference to implement your own validation logic according to your system’s requirements. This will help ensure your API handles incoming data reliably and consistently.
Need help? See Troubleshooting and Support
Looking for the homepage? Return to Enhanced Eligibility Overview here.
Updated 4 days ago